This is the accessible text file for GAO report number GAO-11-687R entitled 'Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures' which was released on August 5, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-11-687R: United States Government Accountability Office: Washington, DC 20548: August 5, 2011: The Honorable Steven O. App: Deputy to the Chairman and Chief Financial Officer: Federal Deposit Insurance Corporation: Subject: Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures: Dear Mr. App: In March 2011, we issued our report on the results of our audit of the financial statements of the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation Resolution Fund (FRF) as of, and for the years ending December 31, 2010, and 2009, and on the effectiveness of the Federal Deposit Insurance Corporation's (FDIC) internal control over financial reporting as of December 31, 2010. We also reported our conclusions on FDIC's compliance with selected provisions of laws and regulations.[Footnote 1] The purpose of this report is to present information on certain internal control and accounting procedure issues we identified during our 2010 audit and to provide our recommended actions to address these issues. We are making six recommendations for strengthening FDIC's internal controls and accounting procedures. In addition, we are providing an update on the status of recommendations we made to address internal control issues identified in previous audits (enclosure I). Results in Brief: During our audit of the DIF's and the FRF's 2010 and 2009 financial statements, we identified several internal control issues that, while not rising to the level of a significant deficiency[Footnote 2] or material weakness[Footnote 3] either individually or in the aggregate, nonetheless warrant management's attention and action. These issues involved the following: * FDIC did not have clear and comprehensive documentation of its process used to derive the nearly $39 billion year-end estimate of DIF's losses resulting from loss-share agreements. The lack of such documentation could impact FDIC's ability to ensure that the methodology for deriving one of the most significant estimates on DIF's financial statements is in conformity with management intent, results in a reasonable estimate of loss, and is consistently applied by staff in future periods. * FDIC's internal controls were not fully effective in identifying and correcting errors resulting from the highly manual, complex process used for deriving the allowance for losses on DIF's Receivables from resolutions, net financial statement line item. This resulted in increased risk of inaccurate or incomplete data used in the year-end financial reporting. * FDIC's internal controls were not fully effective in ensuring compliance with its methodology for valuing certain failed financial institution assets. As a result, FDIC did not prevent or detect numerous errors we identified during our 2010 audit. * FDIC's internal controls were not fully effective in identifying and correcting receivership disbursements applied to incorrect general ledger expense accounts. As a result, five receiverships reported misclassified expenses on their statements of operations. * FDIC did not document an analysis supporting its decision to not recognize additional amounts of the deferred revenue related to the Temporary Liquidity Guarantee Program (TLGP) as income to the DIF in 2010. As a result, FDIC lacked documentation supporting its decision to retain over $9 billion in deferred revenue on DIF's balance sheet. * FDIC's procedures over the monthly general ledger closing process were not sufficiently detailed to ensure staff understood and completed their responsibilities correctly. As a result, FDIC was at increased risk that general ledger closing procedures would not be performed completely and effectively, which could result in financial reporting errors. At the end of our discussion of each of these issues in the following sections, we provide our recommendations for strengthening FDIC's internal controls or accounting procedures. These recommendations are intended to improve management's oversight and controls and minimize the risk of misstatements in DIF's and FRF's financial statements. At the beginning of our 2010 financial audit, we had 16 recommendations to improve FDIC's financial operations from prior year audits that remained open and therefore required corrective action by FDIC.[Footnote 4] FDIC has continued to work to address many of the internal control issues to which these open recommendations relate. In the course of performing our 2010 financial audit, we identified numerous actions FDIC took to address many of its internal control issues. On the basis of FDIC's actions, which we were able to substantiate through our audit, we are closing 12 of our prior years' recommendations. Consequently, a total of 10 financial management- related recommendations need to be addressed--4 from our prior years' audits and 6 new recommendations resulting from our 2010 financial audit. See enclosure I for more details on the status of FDIC's actions to address our prior year recommendations. We provided FDIC with a draft of this report and obtained its written comments. In its comments, FDIC concurred with all of our recommendations and described actions it has taken, has underway, or plans to take to address the control weaknesses described in this report. In addition, FDIC provided an update on actions it has taken or plans to take to address our prior open recommendations related to it's oversight of lockbox bank operations and it's processing of receivership disbursements. At the end of our discussion of each of the issues in this report, we have summarized FDIC's related comments and our evaluation. We have also reprinted FDIC's written comments in their entirety in enclosure III. In addition to its written comments, FDIC provided technical comments, which we considered and have incorporated where appropriate. Scope and Methodology: As part of our audit of the two funds[Footnote 5] administered by FDIC, we determined whether FDIC maintained, in all material respects, effective internal control over financial reporting as of December 31, 2010. We also tested compliance with selected provisions of laws and regulations that had a direct and material effect on the financial statements. In conducting the audit, we examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessed the accounting principles used and significant estimates made by FDIC management, and obtained an understanding of FDIC and its operations. We also tested internal control over financial reporting. We did not evaluate all internal controls relevant to operating objectives, such as controls relevant to ensuring efficient operations. We limited our internal control testing to controls over financial reporting. We performed our audit of the DIF's and the FRF's 2010 and 2009 financial statements in accordance with U.S. generally accepted government auditing standards. We believe that our audit provided a reasonable basis for our conclusions in this report. Further details on our audit methodology are presented in enclosure II. Documentation of Loss-Share Loss Estimation Process: During our 2010 financial audit, we found that FDIC did not have clear and comprehensive documentation of its process used to derive the year- end estimate of DIF's losses resulting from loss-share agreements. The lack of such documentation could impact FDIC's ability to ensure that the methodology for deriving one of the most significant estimates on DIF's financial statements is in conformity with management intent, results in a reasonable estimate of loss, and is consistently applied by staff in future periods. Beginning in 2008 and continuing through 2010, FDIC used purchase and assumption agreements with accompanying loss-sharing agreements as the primary means of resolving failed financial institutions.[Footnote 6] Under these agreements, FDIC sells a failed institution to an acquirer with an agreement that FDIC, through the DIF, will share in any losses the acquirer experiences in servicing and disposing of a failed institution's assets purchased and covered under the loss-share agreement.[Footnote 7] Through December 31, 2010, 223 resolutions of failed institutions were structured with loss-share agreements. FDIC calculated an estimate of the amount of loss it believed it would incur for each loss-share agreement. As of December 31, 2010, FDIC estimated the DIF's cumulative losses resulting from loss-share agreements was $39 billion. The estimate is reflected in the line item Receivables from resolutions, net on the DIF's balance sheet, as a component of the $86 billion allowance for losses established against this line item at December 31, 2010.[Footnote 8] In our 2009 financial audit, we identified a material weakness in FDIC's controls over its process for deriving and reporting estimates of losses to the DIF from loss-share agreements.[Footnote 9] Specifically, we found that FDIC's existing controls were not fully effective in preventing or detecting and correcting errors in developing and reporting loss-share estimates in FDIC's draft 2009 financial statements of the DIF. As described in our audit report, we identified weaknesses in FDIC's controls over (1) the development of initial loss-share loss estimates, including verifying the accuracy of the calculations; (2) managerial review and oversight of the initial loss-share estimation process and its underlying assumptions; and (3) reporting of the loss-share loss estimates as part of the allowance for losses against the Receivables from resolutions, net line item on the DIF's balance sheet. To correct these control deficiencies, we recommended that FDIC officials (1) establish mechanisms for monitoring implementation of newly issued policies and procedures over the process for calculating initial loss-share loss estimates; (2) develop specific procedures for documenting assumptions underlying initial loss-share loss estimates, including periodic managerial review and approval of assumptions and changes over time; and (3) establish and document detailed procedures for ensuring the completeness and accuracy of the overall allowance for losses calculations, including loss-share-related losses. In response to the material weakness in internal control we reported, FDIC developed and implemented a corrective action plan during 2010 that included additional controls to address the control deficiencies we identified. Specifically, FDIC: * implemented a new review process and created new documentation procedures over the development of initial loss-share loss amounts; * established additional monitoring and review of loss-share estimates with the creation of the Closed Bank Financial Risk Committee dedicated to oversight of the loss-share agreement process, including approval of underlying assumptions in loss-share-related calculations and ongoing periodic reviews of initial and updated loss-share loss estimates; and: * enhanced controls over both the inclusion of loss-share-related losses in the allowance for losses determination and the overall process for calculating the allowance for losses related to the Receivables from resolutions, net line item on the DIF's balance sheet. During our 2010 financial audit, we found that FDIC's actions significantly reduced the risk that a material misstatement would not be detected and timely corrected, and concluded that FDIC no longer had a material weakness in internal control over its loss-share loss estimation process. However, we identified an additional deficiency in controls over this process during our 2010 financial audit. In responding to prior year issues, FDIC developed a new process and automated programs for deriving the year-end loss-share loss estimates. The process is complex and relies on multiple manual inputs to the automated program. For instance, the estimation process includes a number of databases that rely on manually recording data for individual loss-share agreements.[Footnote 10] Because of its complexities, full, complete, and clear documentation covering all aspects of the loss estimation process is crucial. However, FDIC did not have a comprehensive loss-share loss estimation process manual. Because the loss estimation process evolved over several months, continuing through to year-end, FDIC did not validate and fully implement the process until late December 2010. Throughout that period, FDIC developed documentation to support the inputs, assumptions, and the review and validation procedures, resulting in the generation of over 20 documents. However, none of these documents contained a comprehensive description of the overall process and, while complementary, contained overlapping information without linkages or traceability between the documents. The lack of comprehensive documentation added to the difficulty of understanding the process without having a preexisting knowledge of it and thus increased the risk that only a limited number of key personnel would be able to implement the methodology in the manner intended by FDIC management in future periods. The Standards for Internal Control in the Federal Government[Footnote 11] provides that internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. All documentation and records should be properly managed and maintained. At year-end, the estimated loss from loss-share agreements is a key element used in deriving the overall allowance for losses on the DIF's Receivables from resolutions, net financial statement line item. As such, the ability to easily understand and review the loss-share loss estimation process through clear and comprehensive documentation is important for FDIC's management team to validate that the process is operating as intended and is providing a reasonable estimate of losses, as well as to ensure that the methodology is consistently applied in future periods. Recommendation: We recommend that you direct the appropriate FDIC officials to develop comprehensive loss-share process documentation to include detailing the loss-share loss estimation process steps to be followed from the inception of the agreement to the reporting on the financial statements, including details regarding assumptions, databases, computer programs, and any other related materials used to estimate losses resulting from loss-share agreements. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it would improve its documentation of the loss-share estimation process through the development of better data flow diagrams and improved linkages and traceability across documents. FDIC also stated it will continue to use the Closed Bank Financial Risk Committee to vet and brief loss estimation methodologies, assumptions, application, and overall process monitoring. We will review and evaluate FDIC's documentation of the loss-share loss estimation process during our 2011 financial audit. Reviews of the Allowance for Losses Estimation Process: During our 2010 financial audit, we found that FDIC's internal controls were not fully effective in identifying and correcting errors resulting from the highly manual, complex process used for deriving the allowance for losses on the DIF's Receivables from resolutions, net financial statement line item. This resulted in increased risk of inaccurate or incomplete data being used in the year-end financial reporting. When an FDIC-insured financial institution fails, the institution is placed into a receivership administered by FDIC. As part of this process, FDIC, through the DIF, closes the institution on behalf of the chartering entity. This also includes paying off or transferring insured deposits and selling some or all of the failed institution to an acquiring institution. The amount of funds FDIC disburses on behalf of the DIF to resolve the failed institution represents a claim, or receivable, the DIF has against the failed institution's receivership, which is also operated by FDIC. Subsequent to the closing and initial disbursement of funds, FDIC, through the DIF, may periodically advance additional funds to the failed-institution receivership to cover operating costs while the assets and liabilities of the receivership are sold or otherwise disposed. These subsequent advances add to the DIF's claim, or receivable, against the receivership. Proceeds from the servicing, sale, or disposition of the failed-institution receivership's assets are used to pay off, or reduce the DIF's outstanding receivable. For financial reporting purposes, FDIC periodically estimates what portion of the outstanding balance of the DIF's receivable from resolutions is collectible. This estimate is primarily based on the amounts FDIC expects the DIF will recover through the servicing, sale, and disposition of the receivership's assets. The difference between the outstanding receivable balance and the amount FDIC estimates will ultimately be collected represents the allowance for losses on the receivable to be included in the DIF's financial statements. To calculate the allowance for losses against amounts owed to the DIF by a receivership, FDIC's Division of Finance (DOF) utilizes a spreadsheet-based worksheet, which it refers to as the Loan Loss Reserve (LLR) template. The LLR template provides a structure for capturing the data needed to determine the allowance for losses amount by individual receivership, which FDIC then aggregates to arrive at the total corporate-level allowance for losses. The LLR template calculations consider receiverships' cash, estimated asset recoveries from the sale of loans and other assets of the failed institution, and administrative liabilities, including estimated losses under loss- share agreements, to determine the receiverships' ability to pay amounts due to FDIC. For 2010, FDIC completed LLR templates for each of its over 300 active DIF receiverships. During our 2009 financial audit, we found that FDIC's controls over the calculation of the corporate-level allowance for losses for the Receivables from resolutions, net line item were not effective in preventing, or detecting and correcting, errors and omissions for year- end reporting.[Footnote 12] As a result, we identified numerous errors and omissions in FDIC's calculation of the DIF's allowance for losses that were not detected or corrected through FDIC's own review and monitoring processes. We recommended that FDIC officials establish and document detailed procedures for DOF officials to follow in reviewing the LLR template calculations to ensure they are complete and accurate, including data requiring verification.[Footnote 13] During our 2010 financial audit, we found that, based on prior year audit findings, FDIC established and documented additional control and review procedures over the LLR template process to ensure the calculations are complete and accurate. For example, FDIC established additional manual reviews of the calculation of the allowance for losses. We found that FDIC's actions to improve its controls over the LLR template process were largely effective in preventing, or detecting and correcting, significant errors and omissions as of December 31, 2010. Nevertheless, the extensive amount of manual monitoring involved makes this process susceptible to errors or incomplete data, and, in fact, FDIC's review process during 2010 did not always detect and correct errors as of year-end. Specifically, in reviewing the underlying formulas embedded in the LLR templates used in the calculation of the allowance for losses, we identified two incorrect formulas.[Footnote 14] We identified these errors by using automated programming tools to verify the accuracy and consistency of formulas. Although the errors we identified did not significantly impact DIF's 2010 financial statements, the level of manual monitoring involved in verifying the hundreds of formulas and references in the LLR template makes the process highly susceptible to error. The Standards for Internal Control in the Federal Government[Footnote 15] provides that control activities are to help ensure that all transactions are completely and accurately recorded. These control activities should generally be designed to assure that ongoing review and monitoring occurs in the course of normal operations. The accuracy and reliability of the LLR templates is critical to the calculation of DIF's allowance for losses on its Receivables from resolutions, net line item. However, the complexity and manual nature of the LLR template reviews increases the risk that inaccurate or incomplete data could be used in the year-end calculations for the overall allowance for losses and not be detected and corrected. Use of a more automated process to review the accuracy of the complex LLR process could increase its reliability while decreasing the level of manual efforts needed to verify the templates. Recommendation: We recommend that you direct the appropriate FDIC officials to consider and adopt, as appropriate, additional cost-effective automated tools and procedures for DOF officials to enhance the review and monitoring activities related to the LLR templates to gain additional assurance that the underlying data and calculations are complete and accurate. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it was developing a more automated process to generate the LLR templates which will incorporate automated error reporting to improve the quality assurance over the process. FDIC stated that it expects to have these actions fully implemented by August 31, 2011. We will evaluate the effectiveness of this new automated process during our 2011 financial audit. Review of Asset Valuations: During our 2010 financial audit, we found that FDIC's internal controls were not fully effective in ensuring compliance with its methodology for valuing certain failed financial institution assets in 2010. Specifically, FDIC's review procedures over its asset valuation process did not prevent or detect numerous errors we identified during our 2010 audit. When a depository institution fails, the assets of the failed bank that are not sold at closing become assets of the receivership. The receivership assets are not directly reported on the face of the DIF's financial statements; rather, the estimated recovery value of these assets is a factor used in developing the overall allowance for losses on the DIF's Receivable from resolutions, net line item. To provide for a consistent approach to value assets for financial reporting, FDIC developed the Standard Asset Valuation Estimation (SAVE) methodology. The SAVE methodology involves sampling from various classes of assets, valuing the sampled assets, developing an average recovery rate for the various classes of assets, and then applying that recovery rate to the population of each particular class of asset. The policies and procedures for the SAVE methodology are documented in the SAVE Instructions Manual. To help identify and correct errors, and to ensure both accuracy and consistency in the process, the SAVE methodology requires that all asset valuations undergo two levels of review. The first-level reviewer is responsible for tracing numbers used in the asset valuation calculation back to source documents and determining if the asset valuation is logical and fully substantiated. The second-level reviewer is responsible for ensuring the valuation methodology was properly applied and that the valuation is logical and reasonable. In 2010, FDIC used the SAVE methodology to value the following six classes of failed financial institution assets: (1) fixed assets, (2) deficiency loans, (3) judgments, (4) investments in subsidiaries, (5) loans to subsidiaries, and (6) other assets. The inventory of assets valued using the SAVE methodology included 5,527 assets. From that population, FDIC selected a sample of 195 assets with a total book value of $4.3 billion and valued these assets using the SAVE methodology. To conduct our review of FDIC's valuation process, we selected 28 of FDIC's 195 sampled assets with a book value of $4.1 billion, which represented 95 percent of the dollar value of FDIC's sample. In testing our sample of 28 assets, we found FDIC made errors in six assets that were not detected and corrected by its review process. Specifically, we found the following: * FDIC used an incorrect discount rate to value one asset. As a result, the asset was overvalued by about $281,000. * FDIC made multiple errors on one valuation, including multiplying an incorrect commission fee (FDIC used 0.375 percent instead of .00375 percent) to an incorrect basis (FDIC used the sales price instead of the unpaid balance it should have used) to calculate commissions, and erroneously including the value of two expenses that had already been paid to value the asset. As a result, the asset was overvalued by about $211,000. * FDIC used an estimate of tax refunds instead of the actual refund amount that had been paid months prior to the valuation. As a result, the asset was undervalued by over $170,000. * FDIC used an appraisal value instead of the more recent sales contract value in its cash flow analysis to value an asset. As a result, the asset was overvalued by nearly $22,000. * FDIC identified an accounts payable amount as a liability, but did not include it in the cash flow analysis to value an asset. As a result, the asset was overvalued by over $2,200. * FDIC incorrectly applied a $5,800 management fee instead of $5,850 to value an asset. As a result, the asset was overvalued by $50. None of these errors, individually or when projected and applied to the universe of the SAVE sample, represent material errors. However, the number and nature of the errors we identified indicate that the review process required by the SAVE methodology to minimize errors going undetected and uncorrected was not fully effective. The Standards for Internal Control in the Federal Government[Footnote 16] provides that agencies implement internal control procedures to ensure the accurate and timely recording of transactions and events, In addition, these standards provide that qualified and continual supervision be provided to ensure that internal control objectives are achieved. All of the 28 assets we reviewed had indications of both first-level and second-level reviews. However, both reviews failed to detect the errors we identified in the asset valuation calculations. These errors should have been detected and corrected if reviewers had complied with the requirements under the SAVE methodology to trace numbers used in the asset valuation calculations back to source documents, and ensure that the valuation was fully substantiated, logical, and reasonable. Recommendation: We recommend that you establish a mechanism to better ensure FDIC officials comply with the SAVE methodology's review procedures for asset valuations, including correctly tracing the numbers used in the calculations back to the source documents and verifying that asset valuations are fully substantiated, logical, and reasonable. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and noted several actions it has recently taken to improve compliance. Specifically, FDIC stated that it rewrote the SAVE manual to create a series of individual job aids that provide more guidance on roles and responsibilities, including specifics about how to verify calculations and actions, affirm that assumptions are correctly applied, and review supporting documents that are the source for calculations, actions, and assumptions. In addition, FDIC stated it has begun conducting classroom training that includes examples and accompanying narrative for correct and incorrect calculations. We will evaluate the effectiveness of these new job aids and training procedures during our 2011 financial audit. Accounting for Receivership Expenses: During our 2010 financial audit, we found that FDIC's internal controls over its accounting for receivership activity were not fully effective in ensuring that receivership disbursements were applied to the correct general ledger expense accounts. As a result, five receiverships reported misclassified expenses on their statements of operations. FDIC is responsible for managing and disposing of the assets and resolving the liabilities of failed institutions that are under FDIC receivership. In this capacity, FDIC is responsible for disbursing payments for expenses incurred by the receiverships. Receivership expenses include such items as utilities, real estate taxes, closing costs for sale of real estate owned, payment of dividends, service fees to FDIC Corporate, payroll for employees and contractors hired for the closing process, travel expenses of FDIC employees, and legal expenses. While receivership disbursements are not directly reported on the face of DIF's and FRF's financial statements, FDIC's payment of these expenses are reflected in the DIF's Receivables from resolutions, net and FRF's Receivables from thrift resolutions and other assets, net financial statement line items. Generally, disbursements are requested with a payment voucher that has been approved by an authorized FDIC official. Payment vouchers include accounting information such as the receivership number, vendor information, and the general ledger expense account to be charged. FDIC policy states that the voucher approvers are responsible for the accuracy and validity of expense coding by preparers and for holding preparers accountable for coding expenses correctly. Additionally, FDIC policy requires the Accounts Payable Unit to determine whether the payment voucher is approved and supported and whether the accounting information is complete and reasonable with regard to the transaction identified on the voucher. However, FDIC officials stated that the Accounts Payable Unit does not verify that the general ledger account selected is the correct account because that is the responsibility of the payment voucher approver. As part of our 2010 financial audit, we selected a statistical sample from both DIF and FRF of 105 receivership disbursement transactions. In testing these transactions, we found 11 of them were applied to an incorrect general ledger expense account. For example, an expense for real estate property insurance was incorrectly charged to general ledger expense account 5215 (Other Professional Services); it should have been charged to account 5500 (Real Estate/Personal Property Insurance). Based on the results of our testing, we are 90 percent confident that the percentage of disbursement transactions in the population applied to an incorrect general ledger expense account is not more than 15.4 percent. The Standards for Internal Control in the Federal Government[Footnote 17] provides that control activities are to help ensure that all transactions are completely and accurately recorded. Further, internal controls should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. This includes effectively and regularly reviewing disbursement transactions for correct accounting information. Adequate monitoring of internal controls helps to ensure that disbursements are recorded to the correct general ledger expense account and that incorrect entries are identified and corrected timely. Although these errors had no impact on the DIF's or the FRF's financial statements, applying receivership disbursements to an incorrect general ledger expense account may result in misstating line items on a receivership's Statement of Operations, because each line item is made up of different general ledger expense accounts. For 6 of the 11 transactions, there was no impact on receivership financial reporting in 2010, but for the other 5, the errors resulted in the expense being misclassified on the receivership's Statement of Operations. Recommendation: We recommend that you take steps to reinforce the policy that voucher approvers ensure the accuracy and validity of general ledger expense coding and hold preparers accountable for coding expenses correctly. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. FDIC stated that, while it believes the risk of misstatement is low, it plans to reinforce the accountability of approvers when selecting general ledger accounts. Additionally, FDIC stated it would (1) provide job aids for users to explain general ledger account selection, (2) review and revise expense account definitions to consolidate or enhance clarity, and (3) enhance existing training for the voucher approver community. We will evaluate the effectiveness of these measures during our 2011 financial audit. Recognition of Systemic Risk Revenue: During our 2010 financial audit, we found that FDIC did not document an analysis supporting its decision to not recognize additional amounts of the deferred revenue related to the Temporary Liquidity Guarantee Program (TLGP) as income to the DIF in 2010. As a result, FDIC lacked documentation supporting its decision to retain over $9 billion in deferred revenue on DIF's balance sheet. The FDIC established the TLGP in October 2008 in an effort to counter the systemwide crisis in the nation's financial sector. The TLGP has two components: (1) the Debt Guarantee Program, under which participating financial entities could issue FDIC-guaranteed debt, [Footnote 18] and (2) the Transaction Account Guarantee Program, which insured non-interest-bearing transaction accounts.[Footnote 19] The FDIC charged entities a fee to participate in the TLPG. FDIC appropriately recorded the guarantee fees as assets of cash and receivables[Footnote 20] on the DIF's balance sheet with an offsetting liability entitled Deferred revenue-systemic risk. FDIC did not recognize the fees as income because the fees were to be held in reserve to cover potential future losses. In accordance with FDIC's Statement of Accounting Policy on Accounting for Systemic Risk Transactions, FDIC is to reduce the deferred revenue and recognize it as systemic risk revenue (income) for the DIF as TLGP expenses are incurred. Under that policy, FDIC also is to recognize systemic risk revenue if it determines that the amount set aside as deferred revenue exceeds the projected losses under the TLGP.[Footnote 21] The deferred revenue for the TLGP program was $9.1 billion at December 31, 2010. For 2010, FDIC determined it would not recognize the deferred revenue, despite the fact that it exceeded projected losses. Specifically, FDIC estimated it was probable that it would have $149 million of losses for the debt guarantee program,[Footnote 22] but it had deferred revenue of over $9 billion to cover those losses. FDIC's rationale was that, while it did not anticipate such losses, the total debt guaranteed under the TLGP of $267.1 billion at year end was significantly larger than the amount of deferred revenue collected to cover potential losses.[Footnote 23] FDIC believed that ongoing uncertainty dictated against recognizing revenue for 2010. Although FDIC cited uncertainty as the primary reason for not recognizing the deferred revenue, it did not document a formal analysis supporting this decision. FDIC's policy on systemic risk states that it will recognize revenue if a supportable and documented analysis has determined that the losses projected under the program are less than the deferred revenue (reserve). FDIC officials stated that the accounting policy only required a documented analysis if an amount was to be recognized. We do not disagree with FDIC's determination to not recognize additional deferred revenue at December 31, 2010. We believe, however, that the decision of whether or not to recognize systemic risk revenue, as well as the amount of such recognition, should be supported by a documented analysis. The Standards for Internal Control in the Federal Government[Footnote 24] provides that all transactions and other significant events (such as the recognition of revenue) need to be clearly documented, and the documentation should be readily available for examination. Without a documented analysis, FDIC lacks transparency in providing its rationale for its accounting treatment of a significant activity reported on DIF's financial statements. Recommendation: We recommend that you direct appropriate FDIC officials to document FDIC's analysis and conclusions regarding the amount of systemic risk revenue to recognize at December 31, 2011. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation. FDIC stated that its analysis and conclusions regarding systemic risk revenue recognition should be documented, and stated that it will document the analysis for the current year. We will review and evaluate the appropriateness of this analysis and conclusions during our 2011 financial audit. Procedures over Financial Reporting: During our 2010 financial audit, we found FDIC's procedures over the monthly general ledger closing process were not sufficiently detailed to ensure staff understood and completed their responsibilities correctly. The lack of sufficient detailed guidance increased the risk that general ledger closing procedures would not be performed completely and effectively, which could result in financial reporting errors. To assist staff in performing their duties related to the month-end closing of the general ledger and financial reports preparation, FDIC has guidance in the DOF Accounting Operations Branch procedures. These written procedures are intended to describe the key steps and activities required to support FDIC's monthly general ledger closing. However, we found the procedures did not contain sufficient detailed guidance to assist staff in carrying out their month-end closing responsibilities properly. Specifically, we found that the procedures did not provide sufficient detail for staff to perform or managers to adequately review month-end closing steps related to recording asset depreciation expenses and allocating fringe benefits and leave. We found, for example, that FDIC's written procedures did not contain specific steps describing how to conduct a review to ensure that entries to record asset depreciation expense were correct. To compensate for this, FDIC staff responsible for recording depreciation used an informal checklist to determine whether depreciation expense was correctly calculated and recorded. With respect to the procedures related to FDIC's accounting for fringe benefits and leave, we found that the responsible FDIC staff person was unable to explain how fringe benefits and leave were allocated to correct budget codes and that the reviewer did not understand that the correct allocation required procedures to be performed in a specific sequence. The Standards for Internal Control in the Federal Government[Footnote 25] provides that pertinent information should be identified, captured, and distributed in a form and time frame that permits people to perform their duties efficiently. The information should be recorded and communicated in a form that enables management and others to carry out their internal control and other responsibilities. FDIC has acknowledged that its general ledger closing procedures can be enhanced. FDIC officials stated that it is in the process of revising the procedures related to recording asset depreciation expense and fringe benefits and leave allocation. Until remaining revisions are completed, however, there is risk that not all necessary procedures in the general ledger closing process will be performed or performed appropriately, resulting in errors to account balances during month-end closing. Recommendation: We recommend that you direct appropriate staff to complete revisions to the Accounting Operations Branch procedures regarding the preparation and review of depreciation expenses and fringe benefits and leave allocations to include providing sufficiently detailed steps staff and reviewers are to follow to perform their general ledger closing responsibilities completely and effectively. FDIC Comments and Our Evaluation: FDIC agreed with our recommendation and stated that it is in the process of revising its Accounting Operations Branch procedures and expects to complete these revisions by September 30, 2011. We will evaluate the effectiveness of these procedural updates during our 2011 financial audit. Status of Prior Years' Audit Recommendations: At the beginning of our 2010 financial audit, we had 16 recommendations to improve FDIC's financial operations from our prior audits that remained open and therefore required corrective action by FDIC.[Footnote 26] FDIC has continued to work to address many of the internal control issues to which these open recommendations relate. In the course of performing our 2010 financial audit, we identified numerous actions FDIC took to address many of these internal control issues. On the basis of its actions, which we were able to substantiate through our audit, we are closing 12 of our prior years' audit recommendations. As discussed in this report, during our audit of FDIC's 2010 financial statements, we identified additional internal control issues that require corrective action and are making 6 new recommendations to address these matters. Consequently, a total of 10 financial management-related recommendations remain to be addressed at the completion of our 2010 audit--4 from prior years and 6 new recommendations resulting from our 2010 audit. Of the 4 recommendations that remain open from prior years, one is from our 2008 audit and relates to internal controls over receivership receipts at the Dallas lockbox facility. Although FDIC performed limited testing to gain assurance that controls at the lockbox are functioning correctly, additional action in this area is required as the tests performed did not fully meet the intent of the recommendation. The remaining 3 open recommendations are from our 2009 financial audit and are all related to processing Receivership Disbursements. Although FDIC took steps to develop and implement written policies and procedures over assigning specific responsibilities related to receivership disbursement accounting, during our 2010 audit we continued to find instances where responsibility for reconciling and correcting the accounts went unassigned. Our 2010 audit findings indicate that additional actions are needed to develop fully effective policies and procedures in this area. Enclosure I provides the status as of March 14, 2011, of the recommendations related to previously identified control deficiencies that were open at the beginning of our 2010 financial audit. This report contains recommendations to you. We would appreciate receiving a description and status of your corrective actions within 30 days of the date of this report. This report is intended for use by FDIC management, members of the FDIC Audit Committee, and the FDIC Inspector General. We are sending copies of this report to the Chairman and Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs; the Chairman and Ranking Member of the House Committee on Financial Services; the Chairman of the Board of Directors of the Federal Deposit Insurance Corporation; the Chairman of the Board of Governors of the Federal Reserve System; the Comptroller of the Currency; the Director of the Office of Thrift Supervision; the Secretary of the Treasury; the Director of the Office of Management and Budget; and other interested parties. In addition, this report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by FDIC management and staff during our audits of FDIC's 2010 and 2009 financial statements. Please contact me at (202) 512-3406 or sebastians@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure IV. Sincerely yours, Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures - 4: [End of section] Enclosure I: Status of Recommendations That Were Open at the Beginning of GAO's Audit of FDIC's 2010 Financial Statements: Audit area: Oversight of lockbox bank: 1: Revise procedures to obtain assurance--through such means as SAS 70 reports, internal audit reports, and other monitoring processes--that internal controls over receivership receipts are in place and functioning properly at the Dallas lockbox facility; FDIC action: To address this recommendation, FDIC performed some limited tests to gain assurance that the lockbox controls were functioning properly. However, the tests did not fully meet the intent of this recommendation. We will continue to monitor FDIC's actions during our 2011 financial audit; Year initially reported: 2008; Status of corrective action as of March 14, 2011: In progress. Audit area: Processing receivership receipts: 2: Document and implement a policy regarding a time frame, such as the current target of 90 days, by which receivership receipts are to be applied to the appropriate receivership accounts; FDIC action: To address this recommendation, on December 31, 2009, FDIC issued and implemented a policy entitled "Accounting Policy for the Timely Application of Unapplied Funds." This policy sets a time frame for applying receivership receipts to the appropriate account; Year initially reported: 2008; Status of corrective action as of March 14, 2011: Completed. 3: Establish a monitoring process to ensure that reconciliations between the receivership general ledger and the receivership operating bank account are timely prepared, and differences arising from these reconciliations are timely identified, researched, and resolved; FDIC action: To address this recommendation, in July 2010, FDIC established a written weekly reporting process to monitor whether reconciliations are prepared timely. We tested FDIC's implementation of its new process during the 2010 financial audit and found it to be working effectively; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. Audit area: Net receivables: 4: Establish a mechanism for monitoring implementation of newly issued policies and procedures within the Division of Resolutions and Receiverships (DRR) regarding the review process for calculation of initial loss-share loss estimates to verify compliance by DRR personnel; FDIC action: To address this recommendation, FDIC chartered the Closed Bank Financial Risk Committee (FRC) to provide governance and monitoring for policies and procedures related to assumptions and controls over the Least Cost Test methodology, which includes estimating the total cost of resolving failed banks, estimating costs specific to loss-sharing agreements, and valuing failed bank assets. We reviewed the charter of the FRC during the 2010 financial audit and concluded this is an effective governance and monitoring tool; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. 5: Develop specific procedures for developing the loss-share worksheet, to include documenting the assumptions made in the loss- share worksheet and the rationale behind existing assumptions; FDIC action: To address these recommendations, FDIC established the Closed Bank Financial Risk Committee (FRC), which meets quarterly to review the methodology and assumptions used in the Least Cost Test (including loss-share). In addition, before new assumptions and methodologies for the Least Cost Test are implemented, they are approved in writing by the Associate Director of the Franchise Asset Marketing Branch. We reviewed the charter of the FRC during the 2010 financial audit and concluded this is an effective governance and monitoring tool. We also concluded the additional review and approval by the Associate Director of the Franchise and Asset Marketing Branch is an effective control and we will monitor FDIC compliance with that control as assumptions change; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed; 6: Develop policies and procedures to provide for and document periodic management review and approval of the loss-share worksheet, to include assumptions, and any changes in assumptions over time, used in preparing the worksheet; FDIC action: To address these recommendations, FDIC established the Closed Bank Financial Risk Committee (FRC), which meets quarterly to review the methodology and assumptions used in the Least Cost Test (including loss-share). In addition, before new assumptions and methodologies for the Least Cost Test are implemented, they are approved in writing by the Associate Director of the Franchise Asset Marketing Branch. We reviewed the charter of the FRC during the 2010 financial audit and concluded this is an effective governance and monitoring tool. We also concluded the additional review and approval by the Associate Director of the Franchise and Asset Marketing Branch is an effective control and we will monitor FDIC compliance with that control as assumptions change; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. 7: Establish and document detailed procedures for Division of Finance (DOF) officials to follow in reviewing the Loan Loss Reserve (LLR) template calculations to ensure they are complete and accurate, including data requiring verification; FDIC action: To address this recommendation, FDIC embedded additional review checklist procedures into each LLR template to improve the review process for the LLR templates. We tested FDIC's new checklist procedure during our 2010 financial audit. Although FDIC's actions to improve its controls over the LLR template process were largely effective in preventing, or detecting and correcting, significant errors and omissions as of December 31, 2010, FDIC's review process did not always detect and correct errors as of year-end. We are making a separate recommendation in this report to address this matter; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. 8: Establish a mechanism to monitor the implementation of the newly issued policies and procedures pertaining to the documentation of review and approval of loss-share payment certificates; FDIC action: To address this recommendation, FDIC created a Loss Share Certificate and Data Checklist that is included in the loss-share payment voucher package along with the payment voucher, acquiring institution filed asset certificates, and asset loss schedules. The entire payment voucher package is reviewed and approved by management. We tested FDIC's new checklist process during our 2010 financial audit and found it to be working effectively; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. Audit area: Cash; 9: Establish a process to monitor the corporation's adherence to its procedures to complete reconciliations of the DIF's cash account balances, to timely resolve any unreconciled differences, and to identify and address any obstacles that would preclude the completion of such reconciliations; FDIC action: To address this recommendation, FDIC established written procedures for reconciling account 1042 and account 1020. FDIC has also coordinated with Federal Home Loan Bank of New York's check processing servicing company (FISERV) to receive check presentments in a time frame that allows FDIC to promptly reject previously voided checks. We tested FDIC's new procedures during our 2010 financial audit and found them to be working effectively; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. Audit area: Processing receivership disbursements; 10: Develop and implement written policies and procedures for assigning responsibility and detailing actions required to effectively review and approve payment vouchers, enter and verify payment vouchers in the accounts payable system, and generate receivership payments through checks, wires, or electronic fund transfers; FDIC action: To address these recommendations, FDIC developed and implemented written policies and procedures that prescribe specific actions required for processing receivership disbursements, tracking the receivership open liabilities posted to account number 2000 (Accounts Payable), and reviewing and canceling stale checks. However, during our 2010 audit, we found limitations in the written policies and procedures, such as not assigning responsibility for reconciling and clearing the 2000 account. We will continue to monitor FDIC's actions during our 2011 financial audit; Year initially reported: 2009; Status of corrective action as of March 14, 2011: In progress. 11: Develop and implement written policies and procedures for reviewing receivership liabilities, including assigning responsibility and detailing actions required for performing oversight reviews and the frequency for performing such reviews; FDIC action: To address these recommendations, FDIC developed and implemented written policies and procedures that prescribe specific actions required for processing receivership disbursements, tracking the receivership open liabilities posted to account number 2000 (Accounts Payable), and reviewing and canceling stale checks. However, during our 2010 audit, we found limitations in the written policies and procedures, such as not assigning responsibility for reconciling and clearing the 2000 account. We will continue to monitor FDIC's actions during our 2011 financial audit; Year initially reported: 2009; Status of corrective action as of March 14, 2011: In progress. 12: Develop and implement written policies and procedures for reviewing and canceling stale checks, including assigning specific responsibility, stating the frequency in which stale checks should be reviewed and canceled, and detailing the manner in which banks are to be notified to cancel stale checks; FDIC action: To address these recommendations, FDIC developed and implemented written policies and procedures that prescribe specific actions required for processing receivership disbursements, tracking the receivership open liabilities posted to account number 2000 (Accounts Payable), and reviewing and canceling stale checks. However, during our 2010 audit, we found limitations in the written policies and procedures, such as not assigning responsibility for reconciling and clearing the 2000 account. We will continue to monitor FDIC's actions during our 2011 financial audit; Year initially reported: 2009; Status of corrective action as of March 14, 2011: In progress. Audit area: Debt Guarantee Program (DGP); 13: Establish written procedures to provide for the periodic review of the computer program used in the DGP loss estimation process, how such reviews should be conducted, and documentation evidencing the review; FDIC action: To address this recommendation, FDIC developed written procedures to provide for periodic review of the computer program used in the DGP loss estimation process, how such reviews should be conducted, and documentation evidencing the review. During our 2010 financial audit, we verified that these procedures were documented and implemented; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. Audit area: Transaction Account Guarantee Program (TAG); 14: Revise procedures to review and analyze the impact of institution failures that occur subsequent to year-end, but prior to the issuance of the DIF's financial statements, on the year-end contingent liabilities for TAG in a manner consistent with that performed for the contingent liability for anticipated failures; FDIC action: With the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, beginning on December 31, 2010, and continuing through December 31, 2012, the contingent liability for TAG deposits was in essence replaced with a transaction account deposit guarantee program with the related contingent liability being consolidated within the Contingent Liabilities for Anticipated Failures line item on DIF's Balance Sheet. FDIC is now following the same subsequent event period procedures for the transaction account deposit guarantee estimate as it does for the contingent liability for anticipated failures estimate, which satisfies the intent of this recommendation; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. Audit area: Financial reporting--Statement of Cash Flows; 15: Revise FDIC's process used to prepare the statement of cash flows to include capital cash entries in determining the change in the Accounts Payable and Other Liabilities line item; FDIC action: FDIC revised its procedures for preparing the DIF's Statement of Cash Flows in a manner that improved the accuracy of the financial statements and thus met the intent of these recommendations; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. 16: Revise FDIC's process used to prepare the statement of cash flows to include capital cash entries in the Purchase of Property and Equipment line item; FDIC action: FDIC revised its procedures for preparing the DIF's Statement of Cash Flows in a manner that improved the accuracy of the financial statements and thus met the intent of these recommendations; Year initially reported: 2009; Status of corrective action as of March 14, 2011: Completed. [End of table] [End of section] Enclosure II: Details on Audit Scope and Methodology: To fulfill our responsibilities as auditor of the financial statements of the two funds administered by the Federal Deposit Insurance Corporation (FDIC), we did the following: * Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. * Assessed the accounting principles used and significant estimates made by FDIC management. * Evaluated the overall presentation of the financial statements. * Obtained an understanding of FDIC and its operations, including its internal control related to financial reporting (including safeguarding assets) and compliance with laws and regulations. * Assessed the risk that a material misstatement exists. * Tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of FDIC's internal control based on the assessed risk. * Considered FDIC's process for evaluating and reporting on internal control based on criteria established under 31 U.S.C. § 3512(c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982. * Tested compliance with certain laws and regulations, including selected provisions of the Federal Deposit Insurance Act, as amended, and the Federal Deposit Insurance Reform Act of 2005. * Performed such other procedures as we considered necessary in the circumstances. [End of section] Enclosure III: Comments from the Federal Deposit Insurance Corporation: FDIC: Federal Deposit Insurance Corporation: Deputy to the Chairman and CFO: 550 17th Street NW: Washington, D.C. 20429-9990: August 1, 2011: Mr. Steven Sebastian: Director, Financial Management and Assurance: U.S. Government Accountability Office: Washington, D.C. 20548: Dear Mr. Sebastian: Thank you for providing the U.S. Government Accountability Office's (GAO) draft report titled, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures (GAO-11-687R). We welcome the opportunity to review and comment on the draft report. Although the report contains new recommendations for improvement, we appreciate GAO's acknowledgment of the corrective actions that FDIC implemented to address previously reported internal control issues. FDIC remains committed to strengthening its internal control environment and making improvements, as needed, to processes and procedures. We continue to be proactive in addressing issues that could adversely impact controls over financial reporting. Our specific responses to the GAO findings and recommendations are included in the attachment to this letter. We look forward to continuing our positive working relationship with the GAO during the 2011 financial statements audit. With the continued dedication of staff we will further enhance internal controls and accounting procedures. Any questions or comments on these matters should be directed to James H. Angel, Jr., Director, Office of Enterprise Risk Management, at 703-562-6456. Sincerely, Signed by: Steven O. App: Deputy to the Chairman and Chief Financial Officer: Attachment: cc: Craig Jarvill: Bret Edwards: James H. Angel, Jr. Audit Committee: [End of letter] FDIC Response to the 2010 GAO Management Report: Documentation of Loss-Share Loss Estimation Process: Recommendation 1: GAO recommended that the Chief Financial Officer direct the appropriate FDIC officials to develop comprehensive loss-share process documentation to include detailing the loss-share loss estimation process steps to be followed from the inception of the agreement to the reporting on the financial statements, including details regarding assumptions, databases, computer programs, and any other related materials used to estimate losses resulting from loss-share agreements. Management Response: We concur with the recommendation. FDIC agrees to improve our loss- share loss estimation documentation. We plan to improve our data flow diagrams, linkage, and traceability across loss-share process documentation. In addition to improving documentation continuity, FDIC has instituted the Closed Bank Financial Risk Committee where the loss estimation methodologies, assumptions, application, and process monitoring are fully briefed and vetted. We plan to complete our documentation improvements by December 30, 2011. Reviews of the Allowance for Losses Estimation Process: Recommendation 2: GAO recommended that the Chief Financial Officer direct the appropriate FDIC officials to consider and adopt as appropriate, additional cost effective automated tools and procedures for the Division of Finance (DOF) officials to enhance the review and monitoring activities related to the Loan Loss Reserve (LLR) templates to gain additional assurance that the underlying data and calculations are complete and accurate. Management Response: We concur with the recommendation. DOF is developing a webfocus-based LLR report process that will automate the generation of the LLR templates and incorporate the use of error reports to identify unintended input items. DOF expects this automated process will enhance the quality assurance reviews of our LLR templates upon its full implementation by August 31, 2011. Review of Asset Valuations: Recommendation 3: GAO recommended that the Chief Financial Officer establish a mechanism to better ensure FDIC officials comply with the SAVE methodology's review procedures for asset valuations, including correctly tracing the numbers used in the calculations back to the source documents and verifying that asset valuations are fully substantiated, logical, and accurate. Management Response: We concur with the recommendation. On July 21, 2011, the Asset Loss Reserve (ALR) Project Team completed two very significant steps in this regard. The first step was to rewrite the Standard Asset Value Estimation (SAVE) Manual as individual SAVE Job Aids to facilitate an expedited approach to updating any changes in the "step-by-step" instruction. In doing so, more guidance is provided regarding roles and responsibilities, including specifics about how to verify calculations and actions, affirm that assumptions are correctly applied, and review supporting documents that are the source for the calculations, actions, and assumptions. The second step was to conduct an intensive classroom training that drills deep into the actual valuation preparation and review process, with examples of the correct and incorrect calculations and narratives for both. With this new training, expectations are further set ahead of time. Rosters will be maintained to certify who attended the class. The two steps, together, should serve to bring the AI,R process to a higher level of quality control and assurance that asset valuations are accurately conducted, thoroughly reviewed, and properly documented. Accounting for Receivership Expenses: Recommendation 4: GAO recommended that the Chief Financial Officer take steps to reinforce the policy that voucher approvers ensure the accuracy and validity of general ledger expense coding and hold preparers accountable for coding expenses correctly. Management Response: We concur with the recommendation. The Division of Resolutions & Receiverships (DRR) management agrees that accuracy in receivership expense coding is important and merits attention. However, given the relationship of receivership financial statements to the FDIC corporate financial statements and how receivership expenses are analyzed, we believe most misclassifications between expense accounts represent a low risk to the misstatement of financial statements. Management will work diligently to address this issue but recognizes that given the volume of activity certain minor miscoding may continue to occur. Specifically, DRR and DOF will work together to: * Globally reinforce the accountability of approvers when selecting general ledger (GL) accounts. Completion date: 10/15/2011 and ongoing. * Provide "Job Aids" for user use in explaining GL account selection. Completion date: 11/30/2011. * Review and revise expense account definitions to consolidate or enhance clarity as appropriate. Completion date: 11/30/2011. * Enhance the existing training to the voucher approver community. Completion date: 12/15/2011. Recognition of Systemic Risk Revenue: Recommendation 5: GAO recommended that the Chief Financial Officer direct appropriate FDIC officials to document FDIC's analysis and conclusions regarding the amount of systemic risk revenue to recognize at December 31, 2011. Management Response: We concur with the recommendation. FDIC will document the analysis and supporting basis for its year-end decision to either recognize systemic risk revenue prior to the expiration of the Temporary Liquidity Guarantee Program or continue to retain fees held in reserve due to the ongoing uncertainty of potential losses. We will complete the documented analysis of our assessment for the year ending December 31, 2011, by January 31, 2012. Procedures Over Financial Reporting: Recommendation 6: GAO recommended that the Chief Financial Officer direct appropriate staff to complete revisions to the Accounting Operations Branch (AOB) procedures regarding the preparation and review of depreciation expenses and fringe benefits and leave allocations to include providing sufficiently detailed steps staff and reviewers are to follow to perform their general ledger closing responsibilities completely and effectively. Management Response: We concur with the recommendation. DOF is in the process of revising the aforementioned AOB procedures and expects them to be completed by September 30, 2011. Status of Prior Years' Audit Recommendations: Oversight of Lockbox Bank: Recommendation: Revise procedures to obtain assurance-—through such means as SAS 70 reports, internal audit reports, and other monitoring processes-—that internal controls over receivership receipts are in place and functioning properly at the Dallas lockbox facility. Management Response: We concur with the recommendation. FDIC plans to review and cross check our procedure revisions developed in 2010/2011 to ensure the concerns indicated by GAO are covered in a clear and controlled manner. Our service provider does not engage a SAS 70 audit as it is not required; therefore it is unavailable. In addition, the following actions have or will be in place by December 30, 2011, to control the lockbox function: * A letter will continue to be obtained from our service provider that outlines their internal control procedures. * A "Job Aid" will be written to document the lockbox process. * FDIC will conduct an annual visitation at the lockbox operation to review process controls. Results of the visitation will be documented. * Periodic tests throughout the year will be performed that will ensure various aspects of the lockbox operation are reviewed. Processing Receivership Disbursements: Recommendations: Develop and implement written policies and procedures for: * Assigning responsibility and detailing actions required to effectively review and approve payment vouchers, enter and verify payment vouchers in the accounts payable system, and generate receivership payments through checks, wires, or electronic fund transfers. * Reviewing receivership liabilities, including assigning responsibility and detailing actions required for performing oversight reviews and the frequency for performing such reviews, and; * Reviewing and canceling stale checks, including assigning specific responsibility, stating the frequency in which stale checks should be reviewed and canceled, and detailing the manner in which banks are to be notified to cancel stale checks. Management Response: We concur with the recommendations. FDIC agrees with the importance of ensuring that controls are clear in written procedures. To answer these additional comments by GAO, Business Operation Support plans to review and cross check our procedure revisions developed in 2010/2011 to ensure indicated concerns are addressed in a clear and controlled manner by November 15, 2011. [End of section] Enclosure IV: GAO Contact and Staff Acknowledgments: GAO Contact: Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: Staff Acknowledgments: The following individuals made key contributions to this report: William J. Cordrey, Assistant Director; Roshni Agarwal; Teressa Broadie-Gardner; Gloria Cano; Gary Chupka; Dennis Clarke; John Craig; Nina Crocker; Jody Ecie; Brian Koning; Marc Oestreicher; Leticia Pena; Angel Sharma; Jay Thomas; and Gregory Ziombra. [End of section] Footnotes: [1] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2010 and 2009 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-11-412] (Washington, D.C.: Mar. 18, 2011). [2] A significant deficiency is a control deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. [3] A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. [4] Issues and recommendations related to our information systems security work performed under our audits are reported separately due to their sensitive nature. For the public version of our report, see GAO, Information Security: Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-11-29] (Washington, D.C.: Nov. 30, 2010) and Information Security: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data, [hyperlink, http://www.gao.gov/products/GAO-11-708] (Washington, D.C.: pending issuance). [5] The FDIC is also the manager of the Orderly Liquidation Fund established under title II of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 210(n), 124 Stat. 1376, 1506 (July 21, 2010). That fund, established as a separate fund in the U.S. Treasury, is unfunded and conducted no transactions during the years covered by our audit. Thus FDIC did not prepare financial statements for the fund. [6] FDIC has used three basic methods to resolve failed financial institutions: purchase and assumption transactions, insured deposit transfers, and deposit payoffs. Of the three, purchase and assumption transactions are the most common. A purchase and assumption is a resolution transaction in which a financially sound institution purchases some or all of the assets of a failed bank or thrift and may assume some or all of the liabilities, including all insured deposits. [7] Losses covered under the loss-share agreements include losses incurred through the sale, foreclosure, loan modification, or write- down of loans in accordance with the terms of the loss-share agreement. [8] The allowance for losses represents the difference between the amount owed to the DIF by a receivership for payment of insured deposits and other resolution expenses and the amount expected to be repaid from the servicing and liquidation of the receivership's assets (such as from sale of loans and other assets of the failed institution). The losses estimated from a loss-share agreement reduce the amount available for a receivership to repay the DIF's receivable due to resolutions. [9] GAO, Financial Audit: Federal Deposit Insurance Corporation Funds' 2009 and 2008 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-10-705] (Washington, D.C.: June 25, 2010). [10] [hyperlink, http://www.gao.gov/products/GAO-11-708]. [11] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1, 1999). [12] [hyperlink, http://www.gao.gov/products/GAO-10-705]. [13] GAO, Management Report: Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures, [hyperlink, http://www.gao.gov/products/GAO-11-23R] (Washington, D.C.: Nov. 30, 2010). [14] For 2010, FDIC completed LLR templates for each of its over 300 active DIF receiverships. Each LLR template included dozens of calculations, spreadsheet cell formulas, and cell references. [15] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [16] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [17] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [18] The Debt Guarantee Program guaranteed new-issued senior unsecured debt issued by insured depository institutions, designated affiliates, and certain holding companies between October 14, 2008, and October 31, 2009, with the guarantee expiring on or before December 31, 2012. [19] The Transaction Account Guarantee Program provided unlimited coverage for non-interest-bearing transaction accounts held by insured participating depository institutions until December 31, 2010. [20] Cash and investments-restricted-systemic risk and receivables and other assets-systemic risk. [21] At the end of the TLGP in 2012, any remaining deferred revenue will be recognized as systemic risk income to the DIF since there will be no further potential for losses under the program. [22] At December 31, 2010, the "probable" contingent liability of $149 million was included in the "Contingent liability for systemic risk" line item. The FDIC believes that it is reasonably possible that additional estimated losses of approximately $545 million could occur under the Debt Guarantee Program. [23] Sixty-six financial entities (39 insured depository institutions and 27 affiliates and holding companies) had guaranteed debt outstanding at December 31, 2010, under the Debt Guarantee Program. [24] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [25] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [26] Issues and recommendations related to our information systems security work performed under our audits are reported separately due to their sensitive nature. For the public version of our report, see [hyperlink, http://www.gao.gov/products/GAO-11-29] and [hyperlink, http://www.gao.gov/products/GAO-11-708]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: